@lucern/sdk 0.2.0-alpha.6 → 0.2.0-alpha.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.turbo/turbo-build.log +7 -0
- package/.turbo/turbo-typecheck.log +4 -0
- package/CHANGELOG.md +13 -0
- package/examples/README.md +69 -0
- package/examples/contradiction.ts +94 -0
- package/examples/investigation-context.ts +118 -0
- package/examples/questions-and-tasks.ts +55 -0
- package/examples/quickstart.ts +97 -0
- package/examples/shared.ts +318 -0
- package/examples/strict-public-types.ts +143 -0
- package/examples/worktree-lifecycle.ts +79 -0
- package/package.json +16 -58
- package/src/README.md +6 -0
- package/src/adminClient.ts +789 -0
- package/{dist/lib/platform/sdk/answersClient.d.ts → src/answersClient.ts} +17 -4
- package/src/audiencesClient.ts +209 -0
- package/src/auditClient.ts +50 -0
- package/src/beliefsClient.ts +319 -0
- package/src/client.ts +2647 -0
- package/src/contextClient.ts +130 -0
- package/{dist/lib/platform/sdk/contextFacade.d.ts → src/contextFacade.ts} +6 -1
- package/src/contextPackCompiler.ts +828 -0
- package/src/contextPackSchema.ts +251 -0
- package/src/contextTypes.ts +153 -0
- package/src/contracts/api-enums.contract.ts +202 -0
- package/src/contracts/auth-session.contract.ts +109 -0
- package/src/contracts/context-pack.contract.ts +700 -0
- package/src/contracts/contextPack.ts +1 -0
- package/src/contracts/index.ts +10 -0
- package/src/contracts/lens-filter.contract.ts +183 -0
- package/src/contracts/lens-workflow.contract.ts +162 -0
- package/src/contracts/lensFilter.ts +1 -0
- package/src/contracts/lensWorkflow.ts +1 -0
- package/src/contracts/mcp-tools.contract.ts +3636 -0
- package/src/contracts/mcpTools.ts +1 -0
- package/src/contracts/prompt.contract.ts +50 -0
- package/src/contracts/prompt.ts +1 -0
- package/src/contracts/sdk-tools.contract.ts +1457 -0
- package/src/contracts/sdkTools.ts +1 -0
- package/src/contracts/workflow-runtime.contract.ts +440 -0
- package/src/contracts/workflowRuntime.ts +1 -0
- package/src/controlObjectOwnership.ts +286 -0
- package/src/coreClient.ts +570 -0
- package/src/customTools.ts +398 -0
- package/src/decisionsClient.ts +286 -0
- package/src/domainContext.ts +15 -0
- package/src/events.ts +531 -0
- package/src/eventsCore.ts +168 -0
- package/src/facade/beliefs.ts +83 -0
- package/src/facade/context.ts +110 -0
- package/src/facade/contradictions.ts +29 -0
- package/src/facade/edges.ts +30 -0
- package/src/facade/events.ts +23 -0
- package/src/facade/evidence.ts +41 -0
- package/src/facade/graph.ts +38 -0
- package/src/facade/identity.ts +16 -0
- package/src/facade/ontologies.ts +34 -0
- package/src/facade/questions.ts +59 -0
- package/src/facade/search.ts +16 -0
- package/src/facade/tasks.ts +37 -0
- package/src/facade/topics.ts +42 -0
- package/src/facade/webhooks.ts +58 -0
- package/src/facade/worktrees.ts +51 -0
- package/src/gatewayFacades.ts +1666 -0
- package/src/graphClient.ts +529 -0
- package/src/harnessClient.ts +585 -0
- package/src/identityClient.ts +278 -0
- package/src/learningClient.ts +95 -0
- package/src/mcpParityClient.ts +240 -0
- package/src/mcpParitySurface.ts +70 -0
- package/src/ontologyClient.ts +275 -0
- package/src/packRuntime.ts +3 -0
- package/src/packsClient.ts +260 -0
- package/src/policyClient.ts +572 -0
- package/src/realtime/index.ts +51 -0
- package/src/realtime/refs.ts +17 -0
- package/src/reportsClient.ts +99 -0
- package/src/schemaClient.ts +129 -0
- package/src/sdkSurface.ts +190 -0
- package/src/topicsClient.ts +243 -0
- package/src/types.ts +807 -0
- package/src/workflowClient.ts +826 -0
- package/tsconfig.json +9 -0
- package/dist/.generated +0 -2
- package/dist/index.d.ts +0 -3
- package/dist/index.js +0 -3
- package/dist/lib/platform/auth/credentials.d.ts +0 -5
- package/dist/lib/platform/auth/credentials.js +0 -40
- package/dist/lib/platform/sdk/adminClient.d.ts +0 -404
- package/dist/lib/platform/sdk/adminClient.js +0 -384
- package/dist/lib/platform/sdk/answersClient.js +0 -21
- package/dist/lib/platform/sdk/audiencesClient.d.ts +0 -93
- package/dist/lib/platform/sdk/audiencesClient.js +0 -111
- package/dist/lib/platform/sdk/auditClient.d.ts +0 -24
- package/dist/lib/platform/sdk/auditClient.js +0 -21
- package/dist/lib/platform/sdk/beliefsClient.d.ts +0 -157
- package/dist/lib/platform/sdk/beliefsClient.js +0 -124
- package/dist/lib/platform/sdk/client.d.ts +0 -2369
- package/dist/lib/platform/sdk/client.js +0 -1831
- package/dist/lib/platform/sdk/contextClient.d.ts +0 -21
- package/dist/lib/platform/sdk/contextClient.js +0 -86
- package/dist/lib/platform/sdk/contextFacade.js +0 -10
- package/dist/lib/platform/sdk/contextPackCompiler.d.ts +0 -100
- package/dist/lib/platform/sdk/contextPackCompiler.js +0 -534
- package/dist/lib/platform/sdk/contextTypes.d.ts +0 -133
- package/dist/lib/platform/sdk/contextTypes.js +0 -1
- package/dist/lib/platform/sdk/controlObjectOwnership.d.ts +0 -308
- package/dist/lib/platform/sdk/controlObjectOwnership.js +0 -220
- package/dist/lib/platform/sdk/coreClient.d.ts +0 -139
- package/dist/lib/platform/sdk/coreClient.js +0 -366
- package/dist/lib/platform/sdk/customTools.d.ts +0 -83
- package/dist/lib/platform/sdk/customTools.js +0 -247
- package/dist/lib/platform/sdk/decisionsClient.d.ts +0 -106
- package/dist/lib/platform/sdk/decisionsClient.js +0 -129
- package/dist/lib/platform/sdk/domainContext.d.ts +0 -1
- package/dist/lib/platform/sdk/domainContext.js +0 -1
- package/dist/lib/platform/sdk/events.d.ts +0 -176
- package/dist/lib/platform/sdk/events.js +0 -261
- package/dist/lib/platform/sdk/eventsCore.d.ts +0 -13
- package/dist/lib/platform/sdk/eventsCore.js +0 -13
- package/dist/lib/platform/sdk/gatewayFacades.d.ts +0 -586
- package/dist/lib/platform/sdk/gatewayFacades.js +0 -845
- package/dist/lib/platform/sdk/graphClient.d.ts +0 -266
- package/dist/lib/platform/sdk/graphClient.js +0 -235
- package/dist/lib/platform/sdk/harnessClient.d.ts +0 -309
- package/dist/lib/platform/sdk/harnessClient.js +0 -219
- package/dist/lib/platform/sdk/identityClient.d.ts +0 -134
- package/dist/lib/platform/sdk/identityClient.js +0 -131
- package/dist/lib/platform/sdk/index.js +0 -49
- package/dist/lib/platform/sdk/learningClient.d.ts +0 -40
- package/dist/lib/platform/sdk/learningClient.js +0 -53
- package/dist/lib/platform/sdk/mcpParityClient.d.ts +0 -69
- package/dist/lib/platform/sdk/mcpParityClient.js +0 -196
- package/dist/lib/platform/sdk/mcpParitySurface.d.ts +0 -10
- package/dist/lib/platform/sdk/mcpParitySurface.js +0 -57
- package/dist/lib/platform/sdk/ontologyClient.d.ts +0 -131
- package/dist/lib/platform/sdk/ontologyClient.js +0 -161
- package/dist/lib/platform/sdk/packRuntime.d.ts +0 -1
- package/dist/lib/platform/sdk/packRuntime.js +0 -1
- package/dist/lib/platform/sdk/packsClient.d.ts +0 -126
- package/dist/lib/platform/sdk/packsClient.js +0 -157
- package/dist/lib/platform/sdk/policyClient.d.ts +0 -293
- package/dist/lib/platform/sdk/policyClient.js +0 -277
- package/dist/lib/platform/sdk/promptCatalog.js +0 -1
- package/dist/lib/platform/sdk/reportsClient.d.ts +0 -34
- package/dist/lib/platform/sdk/reportsClient.js +0 -64
- package/dist/lib/platform/sdk/schemaClient.d.ts +0 -59
- package/dist/lib/platform/sdk/schemaClient.js +0 -71
- package/dist/lib/platform/sdk/sdkSurface.d.ts +0 -56
- package/dist/lib/platform/sdk/sdkSurface.js +0 -140
- package/dist/lib/platform/sdk/topicsClient.d.ts +0 -78
- package/dist/lib/platform/sdk/topicsClient.js +0 -118
- package/dist/lib/platform/sdk/types.d.ts +0 -692
- package/dist/lib/platform/sdk/types.js +0 -1
- package/dist/lib/platform/sdk/version.d.ts +0 -2
- package/dist/lib/platform/sdk/workflowClient.d.ts +0 -313
- package/dist/lib/platform/sdk/workflowClient.js +0 -366
- package/dist/lucern/contracts/src/api-enums.contract.d.ts +0 -58
- package/dist/lucern/contracts/src/api-enums.contract.js +0 -147
- package/dist/lucern/contracts/src/auth-context.contract.d.ts +0 -8
- package/dist/lucern/contracts/src/auth-context.contract.js +0 -8
- package/dist/lucern/contracts/src/auth-session.contract.d.ts +0 -8
- package/dist/lucern/contracts/src/auth-session.contract.js +0 -8
- package/dist/lucern/contracts/src/auth.contract.d.ts +0 -88
- package/dist/lucern/contracts/src/auth.contract.js +0 -57
- package/dist/lucern/contracts/src/context-pack.contract.d.ts +0 -494
- package/dist/lucern/contracts/src/context-pack.contract.js +0 -169
- package/dist/lucern/contracts/src/convex-admin.contract.d.ts +0 -5
- package/dist/lucern/contracts/src/convex-admin.contract.js +0 -1
- package/dist/lucern/contracts/src/events-types.contract.d.ts +0 -8
- package/dist/lucern/contracts/src/events-types.contract.js +0 -8
- package/dist/lucern/contracts/src/events.contract.d.ts +0 -176
- package/dist/lucern/contracts/src/events.contract.js +0 -159
- package/dist/lucern/contracts/src/gateway.contract.d.ts +0 -74
- package/dist/lucern/contracts/src/gateway.contract.js +0 -19
- package/dist/lucern/contracts/src/ids.contract.d.ts +0 -7
- package/dist/lucern/contracts/src/ids.contract.js +0 -24
- package/dist/lucern/contracts/src/index.d.ts +0 -29
- package/dist/lucern/contracts/src/index.js +0 -29
- package/dist/lucern/contracts/src/lens-filter.contract.d.ts +0 -70
- package/dist/lucern/contracts/src/lens-filter.contract.js +0 -95
- package/dist/lucern/contracts/src/lens-workflow.contract.d.ts +0 -84
- package/dist/lucern/contracts/src/lens-workflow.contract.js +0 -54
- package/dist/lucern/contracts/src/mcp-tools.contract.d.ts +0 -151
- package/dist/lucern/contracts/src/mcp-tools.contract.js +0 -3281
- package/dist/lucern/contracts/src/ontology-matching.contract.d.ts +0 -8
- package/dist/lucern/contracts/src/ontology-matching.contract.js +0 -8
- package/dist/lucern/contracts/src/prompt.contract.d.ts +0 -24
- package/dist/lucern/contracts/src/prompt.contract.js +0 -24
- package/dist/lucern/contracts/src/sdk-methods.contract.d.ts +0 -358
- package/dist/lucern/contracts/src/sdk-methods.contract.js +0 -19
- package/dist/lucern/contracts/src/sdk-tools.contract.d.ts +0 -92
- package/dist/lucern/contracts/src/sdk-tools.contract.js +0 -1398
- package/dist/lucern/contracts/src/text-matching.contract.d.ts +0 -53
- package/dist/lucern/contracts/src/text-matching.contract.js +0 -277
- package/dist/lucern/contracts/src/topic-scope.contract.d.ts +0 -8
- package/dist/lucern/contracts/src/topic-scope.contract.js +0 -8
- package/dist/lucern/contracts/src/workflow-runtime.contract.d.ts +0 -161
- package/dist/lucern/contracts/src/workflow-runtime.contract.js +0 -257
- package/dist/realtime-refs.d.ts +0 -1
- package/dist/realtime-refs.js +0 -1
- package/dist/realtime.d.ts +0 -1
- package/dist/realtime.js +0 -1
- /package/{dist/lib/platform/sdk/index.d.ts → src/index.ts} +0 -0
- /package/{dist/lib/platform/sdk/promptCatalog.d.ts → src/promptCatalog.ts} +0 -0
- /package/{dist/lib/platform/sdk/version.js → src/version.ts} +0 -0
|
@@ -0,0 +1,572 @@
|
|
|
1
|
+
import {
|
|
2
|
+
createGatewayRequestClient,
|
|
3
|
+
type GatewayClientConfig,
|
|
4
|
+
type GatewayScope,
|
|
5
|
+
LucernApiError,
|
|
6
|
+
randomIdempotencyKey,
|
|
7
|
+
toQueryString,
|
|
8
|
+
} from "./coreClient";
|
|
9
|
+
import { createListResult, mapGatewayData } from "./sdkSurface";
|
|
10
|
+
|
|
11
|
+
export { LucernApiError };
|
|
12
|
+
export type { GatewayScope, PlatformGatewaySuccess } from "./coreClient";
|
|
13
|
+
|
|
14
|
+
/** Configuration for the policy client. */
|
|
15
|
+
export type PolicyClientConfig = GatewayClientConfig;
|
|
16
|
+
|
|
17
|
+
/** Permission direction: read access or write access. */
|
|
18
|
+
export type PermissionKind = "read" | "write";
|
|
19
|
+
|
|
20
|
+
/** Permission level for a write policy rule. */
|
|
21
|
+
export type WritePolicyPermission = "allow" | "deny" | "review_required";
|
|
22
|
+
|
|
23
|
+
type TopicRecord = {
|
|
24
|
+
topicId?: string;
|
|
25
|
+
name?: string;
|
|
26
|
+
type?: string;
|
|
27
|
+
isOwner?: boolean;
|
|
28
|
+
[key: string]: unknown;
|
|
29
|
+
};
|
|
30
|
+
|
|
31
|
+
/** Structured explanation of how a policy decision was derived. */
|
|
32
|
+
export type PolicyDecisionExplanation = {
|
|
33
|
+
summary?: string;
|
|
34
|
+
matchedReasonCode?: string;
|
|
35
|
+
steps?: Array<{
|
|
36
|
+
stage?: string;
|
|
37
|
+
outcome?: string;
|
|
38
|
+
reasonCode?: string;
|
|
39
|
+
detail?: string;
|
|
40
|
+
}>;
|
|
41
|
+
[key: string]: unknown;
|
|
42
|
+
};
|
|
43
|
+
|
|
44
|
+
/** Result of a permission check against the policy engine. */
|
|
45
|
+
export type PermissionDecision = {
|
|
46
|
+
allowed?: boolean;
|
|
47
|
+
decision?: string;
|
|
48
|
+
reasonCode?: string;
|
|
49
|
+
principalId?: string;
|
|
50
|
+
topicId?: string;
|
|
51
|
+
permission?: string;
|
|
52
|
+
policyVersion?: string;
|
|
53
|
+
traceId?: string | null;
|
|
54
|
+
explanation?: PolicyDecisionExplanation;
|
|
55
|
+
};
|
|
56
|
+
|
|
57
|
+
/** A persisted write policy rule controlling mutation access. */
|
|
58
|
+
export type WritePolicyRecord = {
|
|
59
|
+
id?: string;
|
|
60
|
+
topicId?: string;
|
|
61
|
+
role?: string;
|
|
62
|
+
toolCategory?: string;
|
|
63
|
+
permission?: WritePolicyPermission;
|
|
64
|
+
maxWritesPerSession?: number;
|
|
65
|
+
enabled?: boolean;
|
|
66
|
+
rationale?: string;
|
|
67
|
+
createdAt?: number;
|
|
68
|
+
updatedAt?: number;
|
|
69
|
+
createdBy?: string;
|
|
70
|
+
resolution?: string;
|
|
71
|
+
[key: string]: unknown;
|
|
72
|
+
};
|
|
73
|
+
|
|
74
|
+
/** Input for creating a write policy rule. */
|
|
75
|
+
export type WritePolicyCreateInput = GatewayScope & {
|
|
76
|
+
topicId?: string;
|
|
77
|
+
role: string;
|
|
78
|
+
toolCategory: string;
|
|
79
|
+
permission: WritePolicyPermission;
|
|
80
|
+
maxWritesPerSession?: number;
|
|
81
|
+
enabled?: boolean;
|
|
82
|
+
rationale?: string;
|
|
83
|
+
createdBy?: string;
|
|
84
|
+
};
|
|
85
|
+
|
|
86
|
+
/** Input for partially updating an existing write policy rule. */
|
|
87
|
+
export type WritePolicyUpdateInput = GatewayScope & {
|
|
88
|
+
topicId?: string;
|
|
89
|
+
clearTopicId?: boolean;
|
|
90
|
+
role?: string;
|
|
91
|
+
toolCategory?: string;
|
|
92
|
+
permission?: WritePolicyPermission;
|
|
93
|
+
maxWritesPerSession?: number;
|
|
94
|
+
clearMaxWritesPerSession?: boolean;
|
|
95
|
+
enabled?: boolean;
|
|
96
|
+
rationale?: string;
|
|
97
|
+
clearRationale?: boolean;
|
|
98
|
+
};
|
|
99
|
+
|
|
100
|
+
export type TenantPolicyPermission = {
|
|
101
|
+
resource: string;
|
|
102
|
+
actions: string[];
|
|
103
|
+
};
|
|
104
|
+
|
|
105
|
+
export type TenantPolicyRecord = {
|
|
106
|
+
id?: string;
|
|
107
|
+
tenantId: string;
|
|
108
|
+
workspaceId?: string;
|
|
109
|
+
roleName: string;
|
|
110
|
+
description?: string;
|
|
111
|
+
permissions: TenantPolicyPermission[];
|
|
112
|
+
groupBindings: string[];
|
|
113
|
+
createdAt?: number;
|
|
114
|
+
updatedAt?: number;
|
|
115
|
+
createdBy?: string;
|
|
116
|
+
updatedBy?: string;
|
|
117
|
+
};
|
|
118
|
+
|
|
119
|
+
type AccessibleTopicsResponse = {
|
|
120
|
+
permission: PermissionKind;
|
|
121
|
+
topics: TopicRecord[];
|
|
122
|
+
total: number;
|
|
123
|
+
deniedTopics: Array<{
|
|
124
|
+
topicId: string;
|
|
125
|
+
reasonCode: string;
|
|
126
|
+
}>;
|
|
127
|
+
};
|
|
128
|
+
|
|
129
|
+
type FilterByPermissionResponse = {
|
|
130
|
+
permission: PermissionKind;
|
|
131
|
+
allowedTopicIds: string[];
|
|
132
|
+
deniedTopics: Array<{
|
|
133
|
+
topicId: string;
|
|
134
|
+
reasonCode: string;
|
|
135
|
+
}>;
|
|
136
|
+
count: number;
|
|
137
|
+
};
|
|
138
|
+
|
|
139
|
+
function asTopicArray(data: unknown): TopicRecord[] {
|
|
140
|
+
if (Array.isArray(data)) {
|
|
141
|
+
return data.filter(
|
|
142
|
+
(row): row is TopicRecord => Boolean(row) && typeof row === "object"
|
|
143
|
+
);
|
|
144
|
+
}
|
|
145
|
+
return [];
|
|
146
|
+
}
|
|
147
|
+
|
|
148
|
+
function asWritePolicyRecord(data: unknown): WritePolicyRecord | null {
|
|
149
|
+
if (!data || typeof data !== "object") {
|
|
150
|
+
return null;
|
|
151
|
+
}
|
|
152
|
+
return data as WritePolicyRecord;
|
|
153
|
+
}
|
|
154
|
+
|
|
155
|
+
function asWritePolicyArray(data: unknown): WritePolicyRecord[] {
|
|
156
|
+
if (!Array.isArray(data)) {
|
|
157
|
+
return [];
|
|
158
|
+
}
|
|
159
|
+
return data
|
|
160
|
+
.map(asWritePolicyRecord)
|
|
161
|
+
.filter((row): row is WritePolicyRecord => Boolean(row));
|
|
162
|
+
}
|
|
163
|
+
|
|
164
|
+
function asRolePolicyRecord(data: unknown): TenantPolicyRecord | null {
|
|
165
|
+
if (!data || typeof data !== "object") {
|
|
166
|
+
return null;
|
|
167
|
+
}
|
|
168
|
+
return data as TenantPolicyRecord;
|
|
169
|
+
}
|
|
170
|
+
|
|
171
|
+
function asRolePolicyArray(data: unknown): TenantPolicyRecord[] {
|
|
172
|
+
if (!Array.isArray(data)) {
|
|
173
|
+
return [];
|
|
174
|
+
}
|
|
175
|
+
return data
|
|
176
|
+
.map(asRolePolicyRecord)
|
|
177
|
+
.filter((row): row is TenantPolicyRecord => Boolean(row));
|
|
178
|
+
}
|
|
179
|
+
|
|
180
|
+
/**
|
|
181
|
+
* Create the policy client for permission checks, grants, and write policies.
|
|
182
|
+
* @param config - Gateway transport configuration.
|
|
183
|
+
* @returns An object with methods to check permissions, manage grants, and manage write policies.
|
|
184
|
+
*/
|
|
185
|
+
export function createPolicyClient(config: PolicyClientConfig = {}) {
|
|
186
|
+
const gateway = createGatewayRequestClient(config);
|
|
187
|
+
|
|
188
|
+
return {
|
|
189
|
+
/**
|
|
190
|
+
* List policy decisions in the current scope.
|
|
191
|
+
*/
|
|
192
|
+
async listDecisions(
|
|
193
|
+
query: GatewayScope & {
|
|
194
|
+
action?: string;
|
|
195
|
+
decision?: string;
|
|
196
|
+
traceId?: string;
|
|
197
|
+
principalId?: string;
|
|
198
|
+
topicId?: string;
|
|
199
|
+
limit?: number;
|
|
200
|
+
} = {}
|
|
201
|
+
) {
|
|
202
|
+
return gateway.request<unknown>({
|
|
203
|
+
path: `/api/platform/v1/policy/decisions${toQueryString(query)}`,
|
|
204
|
+
}).then((response) =>
|
|
205
|
+
mapGatewayData(response, (data) =>
|
|
206
|
+
createListResult(Array.isArray(data) ? data : [], "decisions")
|
|
207
|
+
)
|
|
208
|
+
);
|
|
209
|
+
},
|
|
210
|
+
|
|
211
|
+
/**
|
|
212
|
+
* Create a permission grant.
|
|
213
|
+
*/
|
|
214
|
+
async grant(
|
|
215
|
+
input: GatewayScope & {
|
|
216
|
+
topicId: string;
|
|
217
|
+
permission: PermissionKind;
|
|
218
|
+
principal?: string;
|
|
219
|
+
principalId?: string;
|
|
220
|
+
groupId?: string;
|
|
221
|
+
beliefClusterId?: string;
|
|
222
|
+
expiresAt?: number;
|
|
223
|
+
},
|
|
224
|
+
idempotencyKey?: string
|
|
225
|
+
) {
|
|
226
|
+
return gateway.request<unknown>({
|
|
227
|
+
path: "/api/platform/v1/policy/grant",
|
|
228
|
+
method: "POST",
|
|
229
|
+
body: input,
|
|
230
|
+
idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
|
|
231
|
+
});
|
|
232
|
+
},
|
|
233
|
+
|
|
234
|
+
/**
|
|
235
|
+
* Delete a permission grant by revoking it.
|
|
236
|
+
*/
|
|
237
|
+
async revoke(
|
|
238
|
+
input: GatewayScope & {
|
|
239
|
+
topicId: string;
|
|
240
|
+
principal?: string;
|
|
241
|
+
principalId?: string;
|
|
242
|
+
groupId?: string;
|
|
243
|
+
beliefClusterId?: string;
|
|
244
|
+
},
|
|
245
|
+
idempotencyKey?: string
|
|
246
|
+
) {
|
|
247
|
+
return gateway.request<unknown>({
|
|
248
|
+
path: "/api/platform/v1/policy/revoke",
|
|
249
|
+
method: "POST",
|
|
250
|
+
body: input,
|
|
251
|
+
idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
|
|
252
|
+
});
|
|
253
|
+
},
|
|
254
|
+
|
|
255
|
+
/**
|
|
256
|
+
* List write policy rules for the current scope.
|
|
257
|
+
*/
|
|
258
|
+
async listWritePolicies(
|
|
259
|
+
query: GatewayScope & {
|
|
260
|
+
topicId?: string;
|
|
261
|
+
role?: string;
|
|
262
|
+
toolCategory?: string;
|
|
263
|
+
enabled?: boolean;
|
|
264
|
+
} = {}
|
|
265
|
+
) {
|
|
266
|
+
const response = await gateway.request<{ policies?: unknown[] }>({
|
|
267
|
+
path: `/api/platform/v1/policy/write-policies${toQueryString(query)}`,
|
|
268
|
+
});
|
|
269
|
+
const rawPolicies =
|
|
270
|
+
response.data && typeof response.data === "object"
|
|
271
|
+
? (response.data as { policies?: unknown[] }).policies
|
|
272
|
+
: response.data;
|
|
273
|
+
|
|
274
|
+
return {
|
|
275
|
+
...response,
|
|
276
|
+
data: {
|
|
277
|
+
policies: asWritePolicyArray(rawPolicies),
|
|
278
|
+
},
|
|
279
|
+
};
|
|
280
|
+
},
|
|
281
|
+
|
|
282
|
+
/**
|
|
283
|
+
* Create a write policy rule.
|
|
284
|
+
*/
|
|
285
|
+
async createWritePolicy(
|
|
286
|
+
input: WritePolicyCreateInput,
|
|
287
|
+
idempotencyKey?: string
|
|
288
|
+
) {
|
|
289
|
+
const response = await gateway.request<{
|
|
290
|
+
id?: string;
|
|
291
|
+
created?: boolean;
|
|
292
|
+
policy?: unknown;
|
|
293
|
+
}>({
|
|
294
|
+
path: "/api/platform/v1/policy/write-policies",
|
|
295
|
+
method: "POST",
|
|
296
|
+
body: input,
|
|
297
|
+
idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
|
|
298
|
+
});
|
|
299
|
+
|
|
300
|
+
return {
|
|
301
|
+
...response,
|
|
302
|
+
data: {
|
|
303
|
+
id:
|
|
304
|
+
typeof response.data?.id === "string" ? response.data.id : undefined,
|
|
305
|
+
created: response.data?.created === true,
|
|
306
|
+
policy: asWritePolicyRecord(response.data?.policy),
|
|
307
|
+
},
|
|
308
|
+
};
|
|
309
|
+
},
|
|
310
|
+
|
|
311
|
+
/**
|
|
312
|
+
* Update an existing write policy rule by identifier.
|
|
313
|
+
*/
|
|
314
|
+
async updateWritePolicy(
|
|
315
|
+
id: string,
|
|
316
|
+
input: WritePolicyUpdateInput,
|
|
317
|
+
idempotencyKey?: string
|
|
318
|
+
) {
|
|
319
|
+
const response = await gateway.request<{
|
|
320
|
+
id?: string;
|
|
321
|
+
updated?: boolean;
|
|
322
|
+
policy?: unknown;
|
|
323
|
+
}>({
|
|
324
|
+
path: `/api/platform/v1/policy/write-policies/${encodeURIComponent(id)}`,
|
|
325
|
+
method: "PATCH",
|
|
326
|
+
body: input,
|
|
327
|
+
idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
|
|
328
|
+
});
|
|
329
|
+
|
|
330
|
+
return {
|
|
331
|
+
...response,
|
|
332
|
+
data: {
|
|
333
|
+
id:
|
|
334
|
+
typeof response.data?.id === "string" ? response.data.id : undefined,
|
|
335
|
+
updated: response.data?.updated === true,
|
|
336
|
+
policy: asWritePolicyRecord(response.data?.policy),
|
|
337
|
+
},
|
|
338
|
+
};
|
|
339
|
+
},
|
|
340
|
+
|
|
341
|
+
/**
|
|
342
|
+
* Delete a write policy rule by identifier.
|
|
343
|
+
*/
|
|
344
|
+
async deleteWritePolicy(
|
|
345
|
+
id: string,
|
|
346
|
+
scope: GatewayScope = {},
|
|
347
|
+
idempotencyKey?: string
|
|
348
|
+
) {
|
|
349
|
+
return gateway.request<{ id?: string; deleted?: boolean }>({
|
|
350
|
+
path: `/api/platform/v1/policy/write-policies/${encodeURIComponent(
|
|
351
|
+
id
|
|
352
|
+
)}${toQueryString(scope)}`,
|
|
353
|
+
method: "DELETE",
|
|
354
|
+
idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
|
|
355
|
+
});
|
|
356
|
+
},
|
|
357
|
+
|
|
358
|
+
/**
|
|
359
|
+
* List tenant role policies for the current scope.
|
|
360
|
+
*/
|
|
361
|
+
async listRolePolicies(query: GatewayScope = {}) {
|
|
362
|
+
const response = await gateway.request<{ policies?: unknown[] }>({
|
|
363
|
+
path: `/api/platform/v1/policy/roles${toQueryString(query)}`,
|
|
364
|
+
});
|
|
365
|
+
|
|
366
|
+
return {
|
|
367
|
+
...response,
|
|
368
|
+
data: {
|
|
369
|
+
policies: asRolePolicyArray(response.data?.policies),
|
|
370
|
+
},
|
|
371
|
+
};
|
|
372
|
+
},
|
|
373
|
+
|
|
374
|
+
/**
|
|
375
|
+
* Create a tenant role policy.
|
|
376
|
+
*/
|
|
377
|
+
async createRolePolicy(
|
|
378
|
+
input: GatewayScope & {
|
|
379
|
+
roleName: string;
|
|
380
|
+
description?: string;
|
|
381
|
+
permissions: TenantPolicyPermission[];
|
|
382
|
+
groupBindings?: string[];
|
|
383
|
+
},
|
|
384
|
+
idempotencyKey?: string
|
|
385
|
+
) {
|
|
386
|
+
const response = await gateway.request<{ policy?: unknown }>({
|
|
387
|
+
path: "/api/platform/v1/policy/roles",
|
|
388
|
+
method: "POST",
|
|
389
|
+
body: input,
|
|
390
|
+
idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
|
|
391
|
+
});
|
|
392
|
+
|
|
393
|
+
return {
|
|
394
|
+
...response,
|
|
395
|
+
data: {
|
|
396
|
+
policy: asRolePolicyRecord(response.data?.policy),
|
|
397
|
+
},
|
|
398
|
+
};
|
|
399
|
+
},
|
|
400
|
+
|
|
401
|
+
/**
|
|
402
|
+
* Update a tenant role policy by identifier.
|
|
403
|
+
*/
|
|
404
|
+
async updateRolePolicy(
|
|
405
|
+
id: string,
|
|
406
|
+
input: GatewayScope & {
|
|
407
|
+
roleName: string;
|
|
408
|
+
description?: string;
|
|
409
|
+
permissions: TenantPolicyPermission[];
|
|
410
|
+
groupBindings?: string[];
|
|
411
|
+
},
|
|
412
|
+
idempotencyKey?: string
|
|
413
|
+
) {
|
|
414
|
+
const response = await gateway.request<{ policy?: unknown }>({
|
|
415
|
+
path: `/api/platform/v1/policy/roles/${encodeURIComponent(id)}`,
|
|
416
|
+
method: "PATCH",
|
|
417
|
+
body: input,
|
|
418
|
+
idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
|
|
419
|
+
});
|
|
420
|
+
|
|
421
|
+
return {
|
|
422
|
+
...response,
|
|
423
|
+
data: {
|
|
424
|
+
policy: asRolePolicyRecord(response.data?.policy),
|
|
425
|
+
},
|
|
426
|
+
};
|
|
427
|
+
},
|
|
428
|
+
|
|
429
|
+
/**
|
|
430
|
+
* Delete a tenant role policy by identifier.
|
|
431
|
+
*/
|
|
432
|
+
async deleteRolePolicy(
|
|
433
|
+
id: string,
|
|
434
|
+
scope: GatewayScope = {},
|
|
435
|
+
idempotencyKey?: string
|
|
436
|
+
) {
|
|
437
|
+
return gateway.request<unknown>({
|
|
438
|
+
path: `/api/platform/v1/policy/roles/${encodeURIComponent(id)}${toQueryString(
|
|
439
|
+
scope
|
|
440
|
+
)}`,
|
|
441
|
+
method: "DELETE",
|
|
442
|
+
idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
|
|
443
|
+
});
|
|
444
|
+
},
|
|
445
|
+
|
|
446
|
+
/**
|
|
447
|
+
* Check a permission decision for a topic or project scope.
|
|
448
|
+
*/
|
|
449
|
+
async checkPermission(
|
|
450
|
+
query: GatewayScope & {
|
|
451
|
+
topicId?: string;
|
|
452
|
+
permission?: PermissionKind;
|
|
453
|
+
principal?: string;
|
|
454
|
+
principalId?: string;
|
|
455
|
+
beliefClusterId?: string;
|
|
456
|
+
}
|
|
457
|
+
) {
|
|
458
|
+
if (!query.topicId) {
|
|
459
|
+
throw new Error("topicId is required");
|
|
460
|
+
}
|
|
461
|
+
return gateway.request<PermissionDecision>({
|
|
462
|
+
path: `/api/platform/v1/policy/check${toQueryString(query)}`,
|
|
463
|
+
});
|
|
464
|
+
},
|
|
465
|
+
|
|
466
|
+
/**
|
|
467
|
+
* List accessible topics for a principal.
|
|
468
|
+
*/
|
|
469
|
+
async listAccessibleTopics(
|
|
470
|
+
query: GatewayScope & {
|
|
471
|
+
permission?: PermissionKind;
|
|
472
|
+
includeShared?: boolean;
|
|
473
|
+
principal?: string;
|
|
474
|
+
principalId?: string;
|
|
475
|
+
limit?: number;
|
|
476
|
+
} = {}
|
|
477
|
+
) {
|
|
478
|
+
const permission = query.permission ?? "read";
|
|
479
|
+
const principal = query.principal ?? query.principalId;
|
|
480
|
+
const response = await gateway.request<{
|
|
481
|
+
permission?: PermissionKind;
|
|
482
|
+
topics?: unknown[];
|
|
483
|
+
total?: number;
|
|
484
|
+
deniedTopics?: Array<{
|
|
485
|
+
topicId: string;
|
|
486
|
+
reasonCode: string;
|
|
487
|
+
}>;
|
|
488
|
+
}>({
|
|
489
|
+
path: `/api/platform/v1/policy/topics${toQueryString({
|
|
490
|
+
tenantId: query.tenantId,
|
|
491
|
+
workspaceId: query.workspaceId,
|
|
492
|
+
permission,
|
|
493
|
+
includeShared: query.includeShared,
|
|
494
|
+
principal,
|
|
495
|
+
limit: query.limit,
|
|
496
|
+
})}`,
|
|
497
|
+
});
|
|
498
|
+
|
|
499
|
+
return {
|
|
500
|
+
...response,
|
|
501
|
+
data: {
|
|
502
|
+
permission,
|
|
503
|
+
topics: asTopicArray(response.data?.topics),
|
|
504
|
+
total:
|
|
505
|
+
typeof response.data?.total === "number"
|
|
506
|
+
? response.data.total
|
|
507
|
+
: asTopicArray(response.data?.topics).length,
|
|
508
|
+
deniedTopics: Array.isArray(response.data?.deniedTopics)
|
|
509
|
+
? response.data.deniedTopics
|
|
510
|
+
: [],
|
|
511
|
+
} satisfies AccessibleTopicsResponse,
|
|
512
|
+
};
|
|
513
|
+
},
|
|
514
|
+
|
|
515
|
+
/**
|
|
516
|
+
* Filter topic identifiers by permission.
|
|
517
|
+
*/
|
|
518
|
+
async filterByPermission(
|
|
519
|
+
input: GatewayScope & {
|
|
520
|
+
topicIds?: string[];
|
|
521
|
+
permission?: PermissionKind;
|
|
522
|
+
principal?: string;
|
|
523
|
+
principalId?: string;
|
|
524
|
+
}
|
|
525
|
+
) {
|
|
526
|
+
const permission = input.permission ?? "read";
|
|
527
|
+
const principal = input.principal ?? input.principalId;
|
|
528
|
+
const uniqueTopicIds = [...new Set(input.topicIds ?? [])].filter(
|
|
529
|
+
(topicId) => typeof topicId === "string" && topicId.trim().length > 0
|
|
530
|
+
);
|
|
531
|
+
const response = await gateway.request<{
|
|
532
|
+
permission?: PermissionKind;
|
|
533
|
+
allowedTopicIds?: string[];
|
|
534
|
+
deniedTopics?: Array<{
|
|
535
|
+
topicId: string;
|
|
536
|
+
reasonCode: string;
|
|
537
|
+
}>;
|
|
538
|
+
count?: number;
|
|
539
|
+
}>({
|
|
540
|
+
path: "/api/platform/v1/policy/filter",
|
|
541
|
+
method: "POST",
|
|
542
|
+
body: {
|
|
543
|
+
tenantId: input.tenantId,
|
|
544
|
+
workspaceId: input.workspaceId,
|
|
545
|
+
topicIds: uniqueTopicIds,
|
|
546
|
+
permission,
|
|
547
|
+
principal,
|
|
548
|
+
},
|
|
549
|
+
});
|
|
550
|
+
|
|
551
|
+
const allowedTopicIds = Array.isArray(response.data?.allowedTopicIds)
|
|
552
|
+
? response.data.allowedTopicIds
|
|
553
|
+
: [];
|
|
554
|
+
const deniedTopics = Array.isArray(response.data?.deniedTopics)
|
|
555
|
+
? response.data.deniedTopics
|
|
556
|
+
: [];
|
|
557
|
+
|
|
558
|
+
return {
|
|
559
|
+
success: true,
|
|
560
|
+
data: {
|
|
561
|
+
permission,
|
|
562
|
+
allowedTopicIds,
|
|
563
|
+
deniedTopics,
|
|
564
|
+
count:
|
|
565
|
+
typeof response.data?.count === "number"
|
|
566
|
+
? response.data.count
|
|
567
|
+
: allowedTopicIds.length,
|
|
568
|
+
} satisfies FilterByPermissionResponse,
|
|
569
|
+
};
|
|
570
|
+
},
|
|
571
|
+
};
|
|
572
|
+
}
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
import { ConvexHttpClient } from "convex/browser";
|
|
2
|
+
import type { ConvexReactClientOptions as LucernConvexReactClientOptions } from "convex/react";
|
|
3
|
+
import {
|
|
4
|
+
ConvexReactClient,
|
|
5
|
+
useAction,
|
|
6
|
+
useConvex,
|
|
7
|
+
useMutation,
|
|
8
|
+
useQuery,
|
|
9
|
+
} from "convex/react";
|
|
10
|
+
|
|
11
|
+
/**
|
|
12
|
+
* Re-export the server-safe ref surface so existing client consumers keep a
|
|
13
|
+
* single import site. Server code must import from `@lucern/sdk/realtime/refs`
|
|
14
|
+
* instead, because this module statically pulls in `convex/react` which is
|
|
15
|
+
* incompatible with the Next.js Edge runtime React shim.
|
|
16
|
+
*/
|
|
17
|
+
export { subscriptionRefs, platformApi, type AnyApi } from "./refs";
|
|
18
|
+
|
|
19
|
+
/**
|
|
20
|
+
* Opt-in realtime hook surface. These preserve native Convex semantics while
|
|
21
|
+
* moving the transport boundary behind an SDK subpath export.
|
|
22
|
+
*/
|
|
23
|
+
export const useLucernSubscription: typeof useQuery = useQuery;
|
|
24
|
+
export const useLucernMutation: typeof useMutation = useMutation;
|
|
25
|
+
export const useLucernAction: typeof useAction = useAction;
|
|
26
|
+
export const useLucernRealtimeClient: typeof useConvex = useConvex;
|
|
27
|
+
|
|
28
|
+
export type LucernRealtimeClient = ConvexReactClient;
|
|
29
|
+
export type LucernHttpClient = ConvexHttpClient;
|
|
30
|
+
|
|
31
|
+
/**
|
|
32
|
+
* Construct the Convex realtime client that host apps wire into their provider
|
|
33
|
+
* tree. Keeping this here lets HTTP-only consumers avoid importing the
|
|
34
|
+
* realtime surface altogether.
|
|
35
|
+
*/
|
|
36
|
+
export function createLucernRealtimeClient(
|
|
37
|
+
address: string,
|
|
38
|
+
options?: LucernConvexReactClientOptions
|
|
39
|
+
): LucernRealtimeClient {
|
|
40
|
+
return new ConvexReactClient(address, options);
|
|
41
|
+
}
|
|
42
|
+
|
|
43
|
+
/**
|
|
44
|
+
* Construct the HTTP-only Convex client behind the SDK boundary so app code
|
|
45
|
+
* does not import `convex/browser` directly.
|
|
46
|
+
*/
|
|
47
|
+
export function createLucernHttpClient(address: string): LucernHttpClient {
|
|
48
|
+
return new ConvexHttpClient(address);
|
|
49
|
+
}
|
|
50
|
+
|
|
51
|
+
export type { LucernConvexReactClientOptions };
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import { type AnyApi, anyApi } from "convex/server";
|
|
2
|
+
|
|
3
|
+
/**
|
|
4
|
+
* Server-safe realtime ref surface.
|
|
5
|
+
*
|
|
6
|
+
* Keep this module free of any import that transitively pulls `convex/react`
|
|
7
|
+
* or `convex/browser`. Edge-runtime routes and server adapters import from
|
|
8
|
+
* `@lucern/sdk/realtime/refs` so Next.js never bundles the Convex React client
|
|
9
|
+
* (which imports React hooks that are not available in the Edge runtime shim).
|
|
10
|
+
*
|
|
11
|
+
* Client consumers should continue importing from `@lucern/sdk/realtime`.
|
|
12
|
+
*/
|
|
13
|
+
export const subscriptionRefs: AnyApi = anyApi;
|
|
14
|
+
|
|
15
|
+
export const platformApi = subscriptionRefs;
|
|
16
|
+
|
|
17
|
+
export type { AnyApi };
|